RE: Virus? Trojan?

[Nick FitzGerald <nick () virus-l demon co uk>]

"James C Slora Jr" <Jim.Slora () phra com> wrote:

> >   So far today, I've received two email messages from
> > kbl-zrz2519.zeelandnet.nl [62.238.233.233]
>
> > which, apparently, claimed in its HELO message to *be*
> > our local MX (which of course was who it was talking TO).
> > Sounds to me like a bug in the sending software.
>
> >   The other thing these messages had in common was a
> > 33KB .scr ("screen saver") executable attachment.
> > Norton doesn't recognize this as a known threat, but
> > I don't want to be the first to learn the hard way what
> > it does.
>
> I've gotten 4 more Yaha-M-infected messages from this same source today. I

I think that is unlikely, as they are infected with Yaha.K.  However, 
as you did not identify the scanner that told you Yaha.M, I'll grant 
that you may just be repeating incorrect information given you by 
your scanner.  A week or so back these were the unique names reported 
among products representing some 20-odd different scan engines:

  1  Lentin.H
  1  I-Worm.Lentin.i
  1  Lentin.K
  1  HLLM.Yaha.1
  3  I-Worm/Yaha.K
  5  Yaha.K
  1  Yaha-K
  1  Yahaa.K
  1  Worm/Yaha.M
  1  Yaha.N
  1  WORM_YAHA.K

To ease the comparison, I removed any standard platform indicating 
precursors (such as "W32" or "Win32") and all standard or otherwise 
modifiers (such as "@mm" and ".Worm") after any standard sub-variant 
name part.  Further simplifying, by removing non-standard name 
components before the family name (e.g. "I-Worm", "WORM_") and 
accepting non-standard delimiters (e.g. "-" instead of "." for the 
sub-variant delimiter) we get:

  1  Lentin.H
  1  Lentin.i
  1  Lentin.K
  1  Yaha.1
 10  Yaha.K
  1  Yahaa.K
  1  Yaha.M
  1  Yaha.N

And, assuming that "Yahaa" was a typo on the part of ... (well, it 
doesn't really matter), we get:

  1  Lentin.H
  1  Lentin.i
  1  Lentin.K
  1  Yaha.1
 11  Yaha.K
  1  Yaha.M
  1  Yaha.N

So, I guess it's easy to see where the naming confusion could come 
from.  This was not helped by the fact that MessageLabs listed Yaha.K 
as Yaha.M for a while.  It is now listed there as W32/Yaha.K!e2a2 
(note MessageLabs' use of the new "!" name modifier indicating the 
"!" and everything to its right is not officially part of the name).

> received a few at around the same time you did, starting December 31 when
> Yaha-M had not yet been listed. The sender must have one of the first
> infected computers. They may be a member of this list or someone who visits
> the list archives.

The problem here is that that machine has been infected with Yaha.K 
and not Yaha.M -- at least, I am still receiving, and have only 
received, Yaha.K messages from that machine.  The latest one I 
received had a Date: header (created by the virus) of:

   Date: Fri,10 Jan 2003 13:23:41 PM

Yaha.K was discovered before Christmas, and although that machine 
seemed to start spewing out Yaha Email as Yaha.M was first being 
reported, it is not infected with Yaha.M but with Yaha.K as a simple 
anaylsis of the file attached to its Email shows.

I agree that the sender may be on this list or a frequenter of the 
archives.  If you are reading this and are a cable (the "kbl" of 
"kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch 
for "cable")customer of zeelandnet.nl, please head to one of the AV 
sites for a description of Yaha.K (or one of the names above!) and 
find out how to fix it and then do something about getting protected 
so as to reduce the likelihood of becoming infected again.

> Since the infections are still coming I've notified the administrator of
> zeelandnet.nl - hopefully they will hunt the user down and help them clear
> the infection.

So have I -- the problem is they decided the best action was to 
prevent that IP accessing their mail server:

   Thanks for the message.

   The user is blocked for outgoing e-mail to block this virus.

As they don't really say how or what they have blocked, and the 
messages keep coming, I guess they have blocked access to their own 
mail servers, which the virus will not try to use except when it 
tries to send itself to an address for which a zeelandnet.nl mail 
server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to 
resolve MX records in the DNS then sends its mail directly to that 
SMTP server rather than relying on any "local" SMTP servers to relay 
for it).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com